Follow:

 

Worm:Win32/Koobface.I


Worm:Win32/Koobface.I is a worm that spreads via Facebook, Friendster, and other social networking Web sites.


What to do now

Manual removal is not recommended for this threat. To detect and remove this threat and other malicious software that may have been installed, run a full-system scan with an up-to-date antivirus product such as the Microsoft Safety Scanner (http://go.microsoft.com/fwlink/?LinkId=212742). For more information, see http://www.microsoft.com/protect/computer/viruses/vista.mspx.

Threat behavior

Worm:Win32/Koobface.I is a worm that spreads via Facebook, Friendster, and other social networking Web sites.
Installation
When executed, Win32/Kooface.I may copy itself to the Windows folder with the following format:
%windir%\<letters><2-digit number>.exe
 
For example:
  • %windir%\bolivar31.exe
  • %windir%\bolivar30.exe
  • %windir%\ld01.exe
  • %windir%\che08.exe
  • %windir%\freddy35.exe
 
It drops a cleanup Batch script file having a pseudo-random file name to the root of the local drive, as in this example:
C:\355674543.bat
 
When run, the Batch script removes the originally running worm.
 
Win32/Koobface.I also drops the following log file:
C:\social<date>.log
 
It modifies the system registry so that it automatically runs every time Windows starts, for example:
 
Adds value: "sysftray2"
With data: "%windir%\bolivar19.exe"
To subkey: HKLM\Software\Microsoft\Windows\Currentversion\Run
 
Adds value: "sysldtray"
With data: "%windir%\ld01.exe"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
 
It also creates the following registry entries:
 
Adds value: "CLSID"
With data: "{25336920-03F9-11cf-8FD0-00AA00686F13}"
To subkey: HKLM\SOFTWARE\Classes\MIME\Database\Content Type\application/xhtml+xml
 
Adds value: "Extension"
With data: ".xml"
To subkey: HKLM\SOFTWARE\Classes\MIME\Database\Content Type\application/xhtml+xml
 
Adds value: "Encoding"
With data: "hex:08,00,00,00,"
To subkey: HKLM\SOFTWARE\Classes\MIME\Database\Content Type\application/xhtml+xml
 
Win32/Koobface.I also creates a mutex to ensure that only one instance of itself is running in memory. The mutex name is usually composed of a random number and letter combination, for example:
44455345g43545
Spreads Via...
Social Networking Web Sites
Worm:Win32/Koobface.I checks for cookies for the following the popular social networking sites:
  • facebook.com
  • friendster.com
  • hi5.com
  • myspace.com
  • bebo.com
 
It then uses the found cookies to connect to the site and post messages to the list of friends available in the user's account. The message contains data retrieved by this worm from a remote server, whose name has the following format:
<letters><current date>.com
 
For example:
  • 1dns210109.com
  • temp210108.com
  • wm21012009.com
  • open21012009.com
  • 5824125537.com
 
The messages use various social engineering techniques to entice the user's friends to click on the link. Some of the messages it may display are the following:
 
Title: W.O.W.
Text: ooPS. looks like i found your private video on net.
Link: http://to<REMOVED>.com/go/be.php?chd68f3=d41d8cd98f00b204e9800998ecf8427e
 
Title: Thiss is videeo wwith yyou. YYou're doingg soomething fuunny thhere.
Text: Hallo.
Link: http://files.<REMOVED>.com/ram<REMOVED>/youtube/video.gif?9cfb5683ch=d41d8cd98f00b204e9800998ecf8427e
 
Title: wow
Text: Super video with you.
Link: http://f<REMOVED>.com/go/fr.php
 
A sample message received from Friendster is the following:
 
 
Clicking on the malicious link leads to a Web site that purports to load a video. The user then gets a message that the video cannot be loaded without installing an update of Adobe Flash Player. The offered download is not actually Adobe Flash Player but is a copy of this worm.
Payload
Backdoor Functionality
Win32/Koobface.I can perform any of the following actions on the system, depending on commands from the remote server:
  • Download updates to itself
  • Send information about the system
  • Retrieve messages to post
  • Start and stop the malware service
 
Analysis by Elda Dimakiling

Symptoms

System Changes
The following system changes may indicate the presence of this malware:
  • The presence of the following files:
    %windir%\bolivar31.exe
    %windir%\bolivar30.exe
    %windir%\ld01.exe
    %windir%\che08.exe
    %windir%\freddy35.exe
  • The presence of the following registry modifications:
    Added value: "sysftray2"
    With data: "%windir%\bolivar19.exe"
    To subkey: HKLM\Software\Microsoft\Windows\Currentversion\Run
    Added value: "sysldtray"
    With data: "%windir%\ld01.exe"
    To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  • You received a message from a friend in Facebook, Myspace, Friendster, or any other popular Web site that links to an untrusted Web site prompting you to download an executable file.

Prevention


Alert level: Severe
First detected by definition: 1.49.1581.0
Latest detected by definition: 1.173.2181.0 and higher
First detected on: Jan 07, 2009
This entry was first published on: Feb 03, 2009
This entry was updated on: Apr 17, 2011

This threat is also detected as:
  • Win32/Koobface!generic (CA)
  • Win32/Koobface.NAO (ESET)
  • Net-Worm.Win32.Koobface.dq (Kaspersky)
  • W32/Koobfa-Gen (Sophos)